Spam attack: Email service hacked

Telecom has admitted the Yahoo Xtra email service has been hacked as hundreds of customers continue to receive spam mail, some from dead relatives.

Telecom said today it had been the victim of two separate but potentially related "malicious" attacks.

It said in a statement today that one of those attacks allowed hackers to access email contacts without the user being aware of it.

The security breach, which began on Saturday morning, saw emails sent to everyone on users' contact lists, asking them to click on a link directing them to an online advertisement.

The company said they were told early yesterday the issue had been resolved, but customers told the Herald today the problem was far from over.

An email sent to the New Zealand Herald website from a customer named Carl said Telecom's original explanation that people were sent the email after customers clicked on the link was "bollocks".

"I got spam from my dead brother's account. He obviously hasn't been clicking any links, and for Telecom to blame him for this is just insulting," he said in his email.

Telecom head of external media Jo Jalfon said it was an "unfortunate incident" but spam was sent in enormous volumes every day.

It was unlikely anyone had stolen people's email addresses directly from the Yahoo database.

"We've still got confidence in the security of their system. They've got people working around the clock to try to stop this malicious email spam getting through.

"It's an ongoing battle."

She recommended anyone who had received the spam emails to change their password immediately.

Telecom had no idea how many people had received the emails because they don't have access to peoples' accounts and not everyone would have opened the link, Ms Jalfon said.

NetSafe executive director Martin Cocker said Xtra and Yahoo had suffered a "significant breach" to their email systems and there were 450,000 Xtra Yahoo users who could be affected.

Telecom downplayed the problem when it was thought the spam mails were a "phishing" attempt, he said.

"Telecom have explained, I guess that it's a compromise of the Yahoo database...and the data appears to have been stolen."

A Yahoo spokeswoman said they were working hard to provide customers with an update on the situation.

So far, Telecom has received 400 calls from customers, and some people affected are demanding compensation over the problem.

Telecom's Jo Jalfon said the company would work with individual customers, but it was too early to say if compensation would be paid.

Meanwhile, a computer expert said the spam attack should never have been given an opportunity to happen.

Professor Anthony Robins of Otago University's computer science school said Yahoo had been victim to a "cross site scripting attack, or XSS Attack", which lets people inject malicious script into a website.

Xtra outsources to Yahoo, which uses an old insecure and unpatched version of the Wordpress Blogging software, Prof Robins said.

"It enabled the attackers to insert this malicious code into webpages that Yahoo users were using, including when they were viewing their own email."

That let the hackers capture the log-in details, which allowed them total access to emails until the user logs off the screen.

"That was a well known security vulnerability," he said.

"It's pretty poor practice on their part (not to put in protections)."